Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
The_Nude_Deer
Contributor

BGP From Fortigate To Cisco not changing routing table

From the rough diagram below , I have an issue with SDWAN spoke, it has 2 IPSEC tunnels as its SDWAN members, one to DC1 where the LAN sits behind a Cisco Switch and another IPSEC to DC2 same setup.

 

The 2 DC switches swap routes via EIGRP, the Hub Fortigates in each DC , have EBGP to the switches where the routes have been re-distibuted from EIGRP, this is an inherited set up which does need to change!

 

When I "break" the IPSEC to DC1, By disabling the IPSEC interface, traffic correctly now goes down the SDWAN via the DC2 ipsec , I can see this happening no problem, The issue is the Cisco Switch does not see this at all, and still believes the LAN is behind its EBGP neighbour in DC1?

 

From DC2 Switch, the route to the LAN on the spoke 192.168.1.0/24 should now be via DC2 Fortigate connected to its Switch

 

* 192.168.1.0/24 > DC2-FORTIGATE 0 65400 ?
*> DC1-SWITCH 25600512 32768 ?

 

However, The DC2 SWITCH shows the above, the route is there with a weight of 0 , and its picked the best route via DC1, its no longer reachable, so why is the route there?

 

I then up the interface, and the routing tables stay the same on the switches, i have to clear ip bgp on the switches to make it all work again,

 

Hope you guys can offer some help thats giving me sleepless nights.

 

The_Nude_Deer_0-1703064837840.png

 

16 REPLIES 16
The_Nude_Deer
Contributor

The route is now that way actually, so its correct, its just the switch is advertising it back up

traceroute to 192.168.1.1 (192.168.1.1), 32 hops max, 3 probe packets per hop, 84 byte packets
1 * 10.99.2.81 0.403 ms 0.382 ms
2 10.99.2.82 0.066 ms 0.040 ms 0.041 ms
3 10.99.2.81 0.522 ms 0.415 ms 0.278 ms
4 10.99.2.82 0.055 ms 0.054 ms 0.056 ms
5 10.99.2.81 0.585 ms 0.484 ms 0.369 ms
6 10.99.2.82 0.074 ms 0.074 ms 0.077 ms
etc

srajeswaran

Yes, we can try this.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
The_Nude_Deer
Contributor

not sure the best way to accomplish this! i need it to advertise the spoke routes down to the DC1 switch, but do not accept the spoke routes if they are coming UP from DC1 Switch

srajeswaran

Ideally the 192.168.1.0/24 route should not be coming from Switches, so if you just apply a route filter to block this subnet from switches, I think it can fix the issue.

ref: https://docs.fortinet.com/document/fortigate/7.4.1/administration-guide/170065/route-filtering-with-...

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
The_Nude_Deer

I will look at this later as I have to pop out, the switches need to know that the 192.168.1.0 is on the DC2 side, and the switches need to know its on DC1 side when the link is back up.. so if I block it on DC1, will the switch at DC1 go the other way as it should? 

srajeswaran

The filter is applied on Fortigates to block route coming from switch and not the otherway, so ideally the switches learning route from FGTs shouldn't be an issue.

 

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
The_Nude_Deer

So on the DC1 Fortigate, if I set an access-list to deny 192.168.1.0 255.255.255.0,

would I apply this as a distribute list in? or out?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors